About this document

This is a working reference for securing modern AI systems - models, the cloud they run in, retrieval, agents, the protocols that connect them (MCP, A2A), coding agents, and the frontier-safety and governance regimes forming around them. It is compiled and maintained by Iaroslav Mezin as a living document, revised continuously as the field moves. It is written for a technically literate reader: security practitioners, red-teamers, AI and platform engineers, and advanced students. It assumes comfort with security fundamentals and a working mental model of how machine-learning systems behave.

One idea organizes everything that follows. For modern AI systems the decisive security boundary is rarely the model’s raw output - it is the path from untrusted content in to privileged action out. Read the whole document through five recurring boundaries: inputs (prompts, retrieved documents, tool output, protocol metadata), the model and runtime, memory and context, tools and actions, and external assets and identities. Retrieval, browser agents, coding agents, MCP, and identity all turn out to be variations on the same theme once those five are held in view.

How to use this

The sections run foundations → advanced, but each stands alone - jump via the contents below. The incident board (II.15) and any dated vendor claim are point-in-time snapshots - verify specifics against primary sources before relying on or citing them.

Security, legal & privacy notice

This document is for defensive research, security assessment, and authorized testing only. Do not use its methods, prompts, or examples against systems you do not own or lack written authorization to test. It is not legal or compliance advice; privacy, security, and export-control obligations vary by jurisdiction and use case - obtain qualified counsel where required. Do not place real personal data, credentials, or regulated information into testing workflows without authority, a lawful basis, and a retention plan.